diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6a847d1..0ad632b 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -603,6 +603,7 @@ class association
 	sendto
 	recvfrom
 	setcontext
+	polmatch
 }
 
 # Updated Netlink class for KOBJECT_UEVENT family.
diff --git a/policy/mls b/policy/mls
index f9cd671..ddd5812 100644
--- a/policy/mls
+++ b/policy/mls
@@ -661,7 +661,18 @@ mlsconstrain xinput { setattr relabelinput }
 # MLS policy for the association class
 #
 
-# these access vectors have no MLS restrictions
-# association *
+mlsconstrain association { recvfrom }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { sendto }
+	((( l1 dom l2 ) and ( l1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
+
+mlsconstrain association { polmatch }
+	((( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t2 == unlabeled_t ));
 
 ') dnl end enable_mls